Updating WordPress User Passwords When All Else Fails

by Woei Yu, May 14, 2015

I used to think the only one way to update a user password is through WordPress’ interface.

But there are situations where you may be logged out of the system and, say, the site was hacked and you’re unable to update/reset the password through the traditional methods.

Since WordPress is a database driven application, and the user account information is stored in the WordPress table name wp_users (or whatever table prefix you’ve used), you can update the password directly in the database, if you do what I’ll show you below

How WordPress Stores Passwords

User passwords are stored in the WordPress database in a MD5-encrypted string. This is a more secure way of storing sensitive information than plain text but when you are in a time crunch, it can be frustrating.

MD5 is designed for one-way encryption which means that you can encrypt new passwords but you will not be able to decrypt existing passwords. This is why if you lose your password, you need to reset it rather than have WordPress email your password to you.

Before we get into how to properly update the password, a brief overview is in order.

The WordPress database consists of many tables to store posts, links, comments, users etc. These tables have, by standard default names like wp_users, wp_options, wp_posts, etc. See below.

Default WP Database Structure

Default WP Database Structure

Most of the time, the user password is stored in the wp_users table.

But, if you are like me, and like to tighten up your WordPress security by eschewing the default WordPress table prefix and change it from “wp_” to something random and unique like “ka86cNpxT_”, just look for the table that ends in “_users”. That is probably the table you want.

Updating Encrypted Passwords

So, in the default WordPress database example here, I am using phpMyAdmin to navigate to the wp_users table

If you click on the “Browse” link, you will see a list of all the users.

To Edit WP User Table

To Edit WP User Table

In this case, there is only one user. And you’ll notice that the password is stored in the column named “user_pass”.

Notice the long string of random-looking text?

That’s the MD5-encrypted version of the password which, for the sake of this article, happens to be “password”; obviously you would NEVER use that are your password. 🙂

MD5 Encrypted User Password

MD5 Encrypted User Password

So to change the password but retain the encryption, simply click on the “Edit” link on the far left or the row.

To Edit User Information

To Edit User Information

This opens the table row editor and, normally when you change an entry in a database you can simply type in the new information but if you just do that for the password it won’t be encrypted and WordPress will think it is and you won’t be able to log in

To overcome that, simply go to user_pass row, select “MD5” under the “function” column and now you can type in the password in plain text.

Create MD5 Encrypted Password

Create MD5 Encrypted Password

When you save the row’s information, the MD5 encryption kicks in and encrypts the password.

Viola! You can now log in with the password you just entered.

One Final Thing

There is one caveat that only happens every now and then. Sometimes the password update doesn’t appear to take effect.

Most likely it is a caching issue and spending couple of minutes (or maybe an hour) away from your computer will solve the problem. You could also try clearing any caches.

Of course, you also may have mistyped the password so you can try that also.

No Comments

Leave a Reply

Your email address will not be published Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">


Let me know what you think

Follow by Email


Enjoy this article? Please spread the word :)